Re: [knot-dns-users] RSASHA1 --> RSASHA256 question

Hi Chris, thank you for using Knot DNS, as well as for migrating to some better DNSSEC algorithm :) Despite an algorithm rollover can be performed very easily with Knot DNS, it's not an easy process by itself and it's needed to first understand it in general. Algorithm rollover has several steps and there are necessary delays between them, so it will probably take much more than an hour. When you try for the first time, I would recommend to start with much simpler ZSK rollover, than KSK rollover, and once you get familiar, you'll be able to handle algorithm rollovers easily. It's not recommended to modify your keys manually with keymgr while automatic key management is doing things. And `del-all-old` feature is only intended for special Offline KSK setup. It might also surprise you that reverting the configuration does not always lead to reverting the state. For example, if you trigger an algorithm rollover by changing the configuration, the process will start, and if you revert the configuration at that stage, I'm not sure what will happen, but probably not a flawless return to the original algorithm. A final hint: use https://dnsviz.net/ to check your zone state. Libor